Watch Out - Hard To Detect Wordpress Hacking

17 replies
This is not a normal hacking job and it is difficult for the site owner to detect because when you go to your site directly you will not notice anything.

But when people find you from a Google search result page , your site will re-direct to this domain:

-- sokoloperkovuske.com/in.php?pp=172 --

This means your .htaccess file has been altered.

it is recommended to block all sites in this range - 91.220.0.0/24 - in your htaccess file

Here's an article that covers this more
#detect #hacking #hard #watch #wordpress
  • Profile picture of the author Karan Goel
    Yeah. My site was hacked a month ago, and a lot of (84, to be precise) URLs in the format:

    site.com/index.php?pid=XX&id=XX

    were created.

    When I checked, I found that the hacker used xRumer to blast those URLs to 33k forums and spammed them to hell. All my ranks were dominated by these URLs.

    I had to look into my DB to find the malicious code, and fix it.

    But still, my site is shows the "This site may be compromised" link underneath it in Google.
    Signature
    Penalty Safe, Long Term, 100% Whitehat Backlinks
    Love your site? Then check out SafeSpokes!
    ~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_
    karan996@irchiver.com karan997@irchiver.com
    {{ DiscussionBoard.errors[4532964].message }}
  • Profile picture of the author Chris Paterson
    Interesting and scary at the same time. Any preventative measures that anyone recommends?
    {{ DiscussionBoard.errors[4533077].message }}
  • Profile picture of the author Istvan Horvath
    Originally Posted by jamawebinc View Post

    This means your .htaccess file has been altered.

    it is recommended to block all sites in this range - 91.220.0.0/24 - in your htaccess file

    Here's an article that covers this more
    My problem with this post and the quoted blog post.

    None of them gives explanation WHY does it happen; i.e. the "alteration" of the .htaccess file. (I have a suspicion but need to investigate)

    Instead of blocking certain range of IPs the solution should focus on HOW to secure the .htaccess file.

    P.S. OK, did some reading...

    First, Open your FTP client and make sure your .htaccess file's permissions are 644 or lower. Reminder: many people make the file "world writable" when setting up the nice permalinks and never change it back!

    Protect the htaccess file itself, by adding this to it:
    Code:
    <Files .htaccess>
     order allow,deny
     deny from all
    </Files>
    Signature

    {{ DiscussionBoard.errors[4533632].message }}
    • Profile picture of the author JohnMcCabe
      Istvan, looks like you have a new candidate for the next edition of your excellent WSO...
      {{ DiscussionBoard.errors[4533852].message }}
    • Profile picture of the author margocales
      To assist a newcomer.

      If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?
      Signature
      Learn New Skills and Ideas and Increase Your Income with Video Tutorials

      Margocales Media
      Margocales Products
      {{ DiscussionBoard.errors[4536850].message }}
      • Profile picture of the author Jonas B
        Originally Posted by margocales View Post

        To assist a newcomer.

        If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?
        Not sure what you mean, but the numbers represent the rights people have to read/write/execute


        644 = owner can read/write, groups/other can read
        755 = owner can read/write/execute, groups/others can read/execute

        so there is no need for execution unless some script tries to execute it obviously

        I suggest you read this:http://codex.wordpress.org/Changing_...ss_permissions

        HOpe it helps
        Signature
        Proud owner of the most flexible mobile app builder. Check it out at http://bit.ly/hybrica!
        Mobile Web Expert & Android Developer
        {{ DiscussionBoard.errors[4536904].message }}
      • Profile picture of the author Istvan Horvath
        Originally Posted by margocales View Post

        To assist a newcomer.

        If I change the .htaccess file as you say to 644 instead of 755 will this stop me accessing the blog for outside posting? Will I only be able to post by opening the site?
        I don't think so.

        File permission are just that: who has permissions to do something with THAT file. Having chmod 755 = it is world wide writable, meaning anybody can over-write it. 644 is safe.
        Signature

        {{ DiscussionBoard.errors[4536916].message }}
        • Profile picture of the author Tashi Mortier
          Originally Posted by Istvan Horvath View Post

          I don't think so.

          File permission are just that: who has permissions to do something with THAT file. Having chmod 755 = it is world wide writable, meaning anybody can over-write it. 644 is safe.
          Not correct, unix has three bits for access levels, 2^2 is read (4), 2^1 is write (2) and 2^0 is execute (1).

          Add the numbers together 4 + 2 = 6, read and write.

          4 + 1 = 5, read and execute.

          4 + 2 + 1 = 7, read, write and execute.

          Why keep write access on the .htaccess file at all? Just change it to 444.

          Directories are a bit different, they need execute rights so your web server is allowed to get into them (otherwise you might geht 403 or 503 errors). With your other files, they don't need to be executed, the webserver reads and parses them.


          In my experience there are some common backdoors:
          1. Some security hole in the script itself, keep your script updated.
          2. Too easy passwords - somebody gained admin control to your site
          3. Your computer got hacked/infected and passwords were stolen from FileZilla etc

          Make sure you only use scripts and plugins from expert programmers or scary stuff can happen. Most people just think reading a PHP book is enough to sell WordPress plugins. Hello SQL Injection, XSS, CSRF... (look these up in wikipedia ).
          Signature

          Want to read my personal blog? Tashi Mortier

          {{ DiscussionBoard.errors[4584754].message }}
          • Profile picture of the author KylePeters
            Originally Posted by Tashi Mortier View Post

            Why keep write access on the .htaccess file at all? Just change it to 444.
            Yeah! This is a good idea providing that you will not be adding any more plugins that may write to the .htaccess file like redirection script. However, it will give you an error msg., and then you can just go back to your cPanel to temporarily change it back to 644 -- and let it write... and then change it back to 444.

            And having said all this --- I read somewhere in this forum that when .htaccess files get hacked -- it usually changes to 444 -- which is weird! Maybe you can elaborate on this?? and if changing to 444 is still a good idea??

            Kyle
            Signature
            Some cool Graphic web design services and training courses!
            {{ DiscussionBoard.errors[7667371].message }}
    • Profile picture of the author trentonlaura
      Originally Posted by Istvan Horvath View Post

      My problem with this post and the quoted blog post.

      None of them gives explanation WHY does it happen; i.e. the "alteration" of the .htaccess file. (I have a suspicion but need to investigate)

      Instead of blocking certain range of IPs the solution should focus on HOW to secure the .htaccess file.

      P.S. OK, did some reading...

      First, Open your FTP client and make sure your .htaccess file's permissions are 644 or lower. Reminder: many people make the file "world writable" when setting up the nice permalinks and never change it back!

      Protect the htaccess file itself, by adding this to it:
      Code:
      <Files .htaccess>
       order allow,deny
       deny from all
      </Files>
      What does this code do and does it matter where in the htaccess file it goes? Is this something I should be doing?
      {{ DiscussionBoard.errors[4584030].message }}
    • Profile picture of the author tomfinster
      Originally Posted by Istvan Horvath View Post

      Protect the htaccess file itself, by adding this to it:
      Code:
      <Files .htaccess>
       order allow,deny
       deny from all
      </Files>
      Hey Istvan,

      I was told that if we have Hostgator, then we don't need to protect the htaccess with this code... do you know if this is True? And if so, will it hurt if we add this code as a double layer of protection anyway? Or will it disrupt Hostgator's HTAccess protection?

      In Many Thanks!
      Signature

      Some Of The Top Affiliate Courses In The Industry!

      {{ DiscussionBoard.errors[7670688].message }}
  • Profile picture of the author colinph970
    as a general rule set CHMOD to 644 for files and 755 for folders......blog still accessible for posting
    {{ DiscussionBoard.errors[4536909].message }}
  • Profile picture of the author SteveJohnson
    The question remains - and why I have a real problem with threads titled like this one is - how was write access to the .htaccess file gained?

    Odds are about even that WordPress had nothing to do with it, unless the site owner was running a very out-of-date WP version.

    ON THE OTHER HAND, some of the early not-so-well-written cloaking plugins were/are ripe for a hacker person because the user input was not properly sanitized and capabilities and intentions weren't checked before the redirect was stored. Some redirect/cloaking plugins made use of redirects written to the .htaccess file itself.

    In short, no one can say definitively that "WordPress was hacked!" without further investigation.

    Unix filesystem permissions can be a little difficult to understand. The three digits represent the permission level for 3 categories of user: what the owner can do with the file, what the user group can do with the file, and finally what the rest of the world can do with the file.

    What makes it even more difficult to understand is that a directory is actually a file, and that file has permissions.

    ANYHOW, here's the bottom line: if you're on one of the major hosting companies - HostGator, BlueHost, etc. - you should never need to modify file permissions. The reason is rather complicated, but basically it's because they've allowed PHP to run as 'user' rather than as 'Apache'. The techie details are here: suEXEC Support - Apache HTTP Server


    Here's an easy way to tell - if you can install plugins from the Add New link on the plugins page, you should never have to change file or directory permissions for your WordPress site.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[4537153].message }}
    • Profile picture of the author weblink29
      I had 2 sites hacked in the past. The last time it happened the hacker placed a bank phishing website in one of my folders. I had no idea it was there until I was snooping around my folders one day.

      General Consensus was they accessed my server via a php injection attack.

      There will always be hackers that attempt to take over websites just to see if they can. There will also be people who try to access your server to run their own promotion from your website remotely. They don't care if your website gets shut down for abuse.

      The only way you can beat them is to learn more about hacking than they know. It isn't worth the effort for me. I just try to secure things the best way I can and repair any damage they cause when they do.

      I back up my data from my web servers to my hard drive from time to time to make it easier to rebuild a site if it's trashed.
      Signature

      Nothing to see here folks.....move along.

      {{ DiscussionBoard.errors[4537268].message }}
  • Profile picture of the author Daniel Rickfold
    This Wordpress Vulnerability Affects Over 90%
    of WordPress Sites


    How? Almost every WordPress theme uses an image resizing utility called TimThumb. The new version of this - called WordThumb has this issue fixed, however most theme developers don't know about this, nor older themes are able to fix this.

    This is quite a dangerous vulnerability and YOUR WordPress sight is almost 90% sure to have it, if you're using any custom theme, either bought or free.

    This gives the attacker the opportunity to gain access to your server and once inside... do whatever he wants.

    HOW TO FIX IT
    Check out this blog post that reveals how to fix this or update it to make sure you won't fall victim to this vulnerability again.
    Zero Day Vulnerability in many Wordpress Themes | mm

    Hope this helps!
    Signature

    Be The Change You Want To See In The World

    {{ DiscussionBoard.errors[4584246].message }}
  • Profile picture of the author Simon Hall
    Its an interesting thread. I have had a similar experience as some others in the past mainly due to not updating Wordpress and the TimThumb issue described earlier. Luckily I was with Hostgator who were fantastic as several of my blogs were hacked/infected on my server at the same time and they ran diagnostics and located all the problems. However it wasn't a good experience by any means.
    I cant claim to have anywhere the technical knowledge of some of the other contributors to this discussion but I would say their are a few golden rules to follow .
    Use a strong password and avoid an easy username. Keep Themes and plugins up to date to avoid vulnerabilities and install a security plugin like bulletproof-security. This will help manage .htaccess files and folder permissions.
    You can also use the plugin wp lockdown to add some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.

    Hope this is of some use.
    {{ DiscussionBoard.errors[7670933].message }}
    • Profile picture of the author so11
      The file .htaccess is used to enforce access control directives for the directory in which it is present, and can exist for any directory.

      Permissions set in this file override those set at an upper level in the directory hierarchy or at the operating system level.

      A user who does not have access permissions on file, but has write permission on .htaccess, can change directives in .htaccess to gain write or execute permissions, thus circumventing other access controls.

      Hence, this file should be protected from nonroot users who are not a part of the Apache server management.
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7671685].message }}

Trending Topics